CVE-2025-32990: 
GnuTLS vulnerability analysis and mitigation

A heap-buffer-overflow (off-by-one) vulnerability was discovered in the GnuTLS software, specifically in the template parsing logic within the certtool utility. The vulnerability was disclosed on July 10, 2025, and affects the GnuTLS package across multiple platforms including Ubuntu and Red Hat Enterprise Linux distributions. This security issue has been assigned CVE-2025-32990 with a CVSS v3.1 base score of 6.5 (Medium severity) (NVD, Red Hat Security).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that occurs when the certtool utility reads certain settings from a template file. The flaw allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, which can lead to memory corruption. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Snyk, Red Hat Security).

The exploitation of this vulnerability can result in memory corruption and denial-of-service (DoS) conditions that could potentially crash the system. While there is no direct impact on confidentiality, the vulnerability does affect system integrity and availability at a low level. The impact is particularly concerning for systems that rely on the GnuTLS certtool utility for certificate management operations (Ubuntu Security, NVD).

Several Linux distributions have released patches to address this vulnerability. Ubuntu has released updates for versions 25.04, 24.04 LTS, and 22.04 LTS. For Debian 12, users should upgrade the gnutls28 package to version 3.7.9-2+deb12u5 or higher. Red Hat has marked this issue as 'Fix deferred' for some products while others are marked as 'Affected' (Ubuntu Security, Snyk).